Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
A comprehensive overview of file deletion and password cracking techniques commonly used in computer forensics investigations. It explores how files are deleted in different windows operating systems, including fat and ntfs file systems, and the methods used to recover deleted files. The document also delves into various password cracking techniques, such as brute force, dictionary, and rainbow attacks, and discusses tools used for password recovery. It further examines anti-forensics techniques, including file deletion, steganography, and trail obfuscation, and highlights the importance of implementing countermeasures to combat these techniques. The document concludes with a discussion of tools and techniques for gathering information about logged-on users, open files, and network information.
Typology: Exams
1 / 9
Windows: When a user deletes a file, the OS does not actually delete the file, it - ✔✔marks the file name in the Master File Table (MFT) with a special character. This character represents that the space once occupied by the file is ready for use FAT - The OS replaces the first letter of the deleted filename with - ✔✔E5H, Corresponding clusters of that file are marked unused, even though they are not empty. Until these clusters are overwritten, the file can still be recovered Deleted files in NTFS - The OS marks the index field in the MFT with a special code. - ✔✔The computer now looks at the clusters occupied by that file as being empty. Until these clusters are overwritten, the file can be recovered Recycle Bin - ✔✔A place to store files that are marked for deletion. The exceptions are large files and files from removable media Setting Windows registry key "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate" to 1 - ✔✔disables updating of the last-accessed timestamp What Happens When a File is Deleted? Windows 98 and earlier (FAT) - ✔✔- C:\Recycled (4GB limit
uses every word present in the dictionary file to find the password. Dictionary attacks can be considered more useful than brute force attacks, although they do not work against systems that use passphrases Syllable Attack - ✔✔the combination of both a brute force attack and a dictionary attack. This is often used when the password is a nonexistent word. The attacker takes syllables from dictionary words and combines them in every possible way to try to crack the password Rule-Based Attack - ✔✔This type of attack is used when an attacker already has some information about the password. He or she can then write a rule so that the password-cracking software will generate only passwords that meet this rule. For example, if the attacker knows that all passwords on a system consist of six letters and three numbers, he or she can craft a rule that generates only these types of passwords. This is considered the most powerful attack Hybrid Attack - ✔✔This type of attack is based on the dictionary attack and brute force. Often, people change their passwords by just adding numbers to their old passwords. In this attack, the program adds numbers and symbols to the words from the dictionary. For example, if the old password is "system", the user may have changed it to "system1" or "system2." Password Guessing - ✔✔Sometimes users set passwords that can be easily remembered, such as a relative's name, a pet's name, or an automobile license plate number. This can make the password easily guessed. Unlike other methods of password cracking, guessing requires only physical access or an open network path to a machine running a suitable service Rainbow Attack - ✔✔a password hash table called a rainbow table is created in advance and stored into memory. This rainbow table is a table of password hashes created by hashing every possible password and variation thereof to be used in a rainbow attack to recover a plaintext password from a captured ciphertext L0phtCrack - ✔✔Helps to recover lost Microsoft Windows passwords by using dictionary attacks, hybrid attacks, rainbow tables, and brute-force attacks Ophcrack - ✔✔A Windows password cracker based on rainbow tables. GUI and runs on multiple platforms Cain & Abel - ✔✔Is a password recovery tool for Microsoft OS's. It sniffs the network, cracks encrypted passwords using dictionary, brute-force, and cryptanalysis attacks. It covers some security aspects/weaknesses present in a protocol's standards, caching mechanisms, and authentication methods. This offers a simplified recovery of passwords and credentials from various sources. It consists of an Arp Poison Routing (APR) that enables sniffing on switched LANs and man-in-the-middle attacks. The sniffer in this tool is also capable of analyzing encrypted protocols, such as HTTP and SSH-1, and contains filters to capture credentials from a wide range of authentication mechanisms
RainbowCrack - ✔✔A hash cracker. It uses a time-memory tradeoff algorithm to crack hashes. It pre-computes all possible plaintext- ciphertext pairs in advance and stores them in the "rainbow table" file PWdump7 - ✔✔An application that dumps the password hashes (OWFs) from NT's SAM database. It extracts LM and NTLM password hashes of local user accounts from the SAM database Fgdump - ✔✔Basically, a utility for dumping passwords on Windows NT/2000/XP/2003/Vista machines Bypass/reset BIOS password - ✔✔- manufacturer's backdoor password
etc Strictly implementing countermeasures against anti-forensics - ✔✔may enable an investigator to successfully deal with a case System Time - ✔✔The first step while investigating an incident is the collection of this Logged-on Users - ✔✔The next step after collecting system time is to determine who was and who currently is on a system Some of the tools and commands used to determine logged-on users - ✔✔PsLoggedOn net sessions LogonSessions PsLoggedOn - ✔✔displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one net sessions - ✔✔displays information about all logged in sessions of the local computer LogonSessions - ✔✔It lists the currently active logged-on sessions and, if you specify the - p option, it can provide you the information of processes running in each session Open Files - ✔✔Files that are currently in use, they are opened within the operating system The following applications let you gather information on open files - ✔✔net file PsFile Openfiles net file - ✔✔displays the names of all open shared files on a server and the number of file locks, if any, on each file. You can also close files and remove file locks PsFile - ✔✔a command-line utility that can retrieve the list of remotely opened files on a system and allows investigator to close open files Openfiles - ✔✔This command queries or displays open files and also queries, displays, or disconnects files opened by network users
Network Information - ✔✔Nbtstat NetBIOS over TCP/IP (NetBT) Nbtstat - ✔✔helps to troubleshoot NetBIOS name resolution problems. When a network is functioning normally NetBIOS over TCP/IP (NetBT) - ✔✔resolves NetBIOS names to IP addresses. - a remote name, - A IP address, - c cache, - n names, - r resolved, - S sessions Netstat tool - ✔✔helps in collecting information about network connections operative in a Windows system The most common way to run Netstat is with - ✔✔the - ano switches, these switches tell the program to display the TCP and UDP network connections, listening ports, and the identifiers of the processes (PIDs). - r routing table, - e ethernet stats, - p Protocol Process Information Collecting Volatile Information: Information to collect - ✔✔System Time Logged-on Users Open Files Network Information Network Connections Process Information Process to Port Mapping Process Memory Network Status Print Spool Files Other Information Syntax: netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval] - ✔✔-a: Displays all active TCP connections and the TCP and UDP ports on which the computer is listening. - e: Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with - s. - n: Displays active TCP connections, however, addresses and port numbers are expressed numerically, and no attempt is made to determine names. - o: Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with - a, - n, and - p.
Pslist.exe - ✔✔displays basic information about the already running processes on a system, including the amount of time each process has been running. - x details about threads and memory, - t task tree, - d detail, - m memory, - e exact match for process name ListDLLs - ✔✔reports DLLs loaded into processes. Process name, Pid, Dll name, - r relocated, - u unsigned, - v version Handle - ✔✔displays information about open handles for any process. - a all types, - c close, - l sizes, - y no prompt,
ClearPageFileAtShutdown - ✔✔Will clear the page file at system shutdown; possibly deleting valuable data DisableLastAccess - ✔✔- Used to disable the updating of last access time on files
Common artifact locations of Microsoft Edge include: - Edge cached files location - ✔✔\Users \user_name\AppData\Local\Packages \Microsoft.MicrosoftEdge_xxxx\AC#!001\MicrosoftEdge\Cache
Common artifact locations of Microsoft Edge include: - Edge last active browsing session data location: - ✔✔\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\MicrosoftE dge\User
Default\ Recovery\Active
Edge stores history records, Cookies, HTTP POST request header packets and downloads in: - ✔✔\Users \user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat If the last browsing session open was in PrivacIE mode then the browser stores these records in:
✔✔\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\MicrosoftE dge\User
Default\Recovery\Active{browsing-session-ID}.dat